Guide public
Ingest OSSEC and Wazuh host intrusion detection alerts into the platform for correlation with cloud and container findings. Works with Docker Compose, systemd, or ECS Fargate. Audience: Security operations teams, infrastructure engineers. Temps moyen de mise en place: 3 minutes.
Étape 1
Mount the OSSEC alerts file and start the scanner container in under a minute.
Étape 2
For production fleets, run as a systemd service with a secure env file, or as an ECS Fargate task.
Étape 3
Confirm alerts are flowing into the platform and correlating with cloud findings.
services:
secplatform-vms-scanner:
image: ghcr.io/your-org/secplatform-vms-scanner:latest
restart: unless-stopped
environment:
SECPLATFORM_API_URL: "https://api.yourdomain.com"
SECPLATFORM_API_KEY: "sp_xxxx"
OSSEC_ALERTS_FILE: /alerts/alerts.json
SCAN_INTERVAL_SECONDS: "60"
LOG_LEVEL: INFO
volumes:
- /var/ossec/logs/alerts:/alerts:ro
ports:
- "8080:8080"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
interval: 30s
timeout: 5s
retries: 3# Create secure env file (root-only)
install -d -m 750 /etc/secplatform
install -m 600 /dev/null /etc/secplatform/env
cat > /etc/secplatform/env << 'EOF'
SECPLATFORM_API_URL=https://api.yourdomain.com
SECPLATFORM_API_KEY=sp_xxxx
OSSEC_ALERTS_FILE=/var/ossec/logs/alerts/alerts.json
SCAN_INTERVAL_SECONDS=60
EOF
# Create and enable service
cat > /etc/systemd/system/secplatform-vms-scanner.service << 'EOF'
[Unit]
Description=SecPlatform VM Scanner
After=docker.service
Requires=docker.service
[Service]
Restart=always
EnvironmentFile=/etc/secplatform/env
ExecStartPre=-/usr/bin/docker rm -f secplatform-vms-scanner
ExecStart=/usr/bin/docker run --rm --name secplatform-vms-scanner \
--env-file /etc/secplatform/env \
-v /var/ossec/logs/alerts:/var/ossec/logs/alerts:ro \
-p 8080:8080 \
ghcr.io/your-org/secplatform-vms-scanner:latest
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now secplatform-vms-scanner